Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Microsoft Bounty Winner Finds Payoff Outside Comfort Zone

James Forshaw generally prefers finding bugs in code logic than memory corruption issues, but he admits he was incentivized by Microsoft’s $100,000 mitigation-bypass bounty.

Give James Forshaw a good logic bug over a memory-corruption vulnerability any day of the week.

The British researcher says he would rather manipulate weaknesses in code to climb out of an application sandbox than turn a fuzzer against a piece of software and spot a memory leak. But incentivized by Microsoft’s recent announcement that it was offering serious money for novel mitigation-bypass techniques, the temptation was too great for Forshaw to pass up.

“[Microsoft] has pretty much banned me from specifying any detail,” Forshaw said. “What I can share is that it’s a bypass for a number of platform mitigations that allows you to get code execution without troubling DEP or ASLR.”

Data Execution Prevention and Address Space Layout Randomization are exploit mitigations native to Windows, and other operating systems, that are supposed to prevent code from executing in areas of memory where it should not. Numerous exploits, including a recent Internet Explorer zero day, have been able to defeat or sidestep both mitigations, but that doesn’t mean it’s not a challenge to researchers and hackers alike.

“So I have written exploits that go after these sorts of technologies in the past; there are different ways of defeating ASLR and DEP to get information leaks or get DLLs to work that are not ASLR-enabled (such as the IE zero day managed),” Forshaw said. “But I’m more of a logic bug finder than memory corruption.”

Microsoft engineer Thomas Garnier also found a similar attack as the one submitted by Forshaw, but Microsoft senior security strategist Katie Moussouris said Forshaw’s entry was worthy of a full payout, the first since the bounty was announced.

“Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty,” Moussouris said.

Forshaw said he spent three weeks doing research related to his bypass.

“Once I came up with something I felt was viable, I submitted it and learned two weeks ago Microsoft had accepted the entry,” Forshaw said. “I think I was sort of about 50 percent it was going to be accepted. There were a few things which it wasn’t clear from the rules whether it would meet their bar. There are seven criteria to meet, and I felt met them all, but it was a bit of a tense time.”

According to Microsoft, bypass submissions must demonstrate a novel way of exploiting a remote code execution vulnerability in Windows and must be capable of exploiting an application that makes use of stack- and heap-corruption mitigations as well as code-execution mitigations. The bypass must also meet seven criteria: it must be generic in that it’s applicable to more than one memory corruption vulnerability; the exploit must be reliable and have reasonable requirements; it must be applicable to a high-risk application such as a browser or document reader; it must be applicable to user mode applications; it must also target the latest version of a Microsoft product; and it must be novel, Microsoft said.

“It was the aspect of novelty I was worried about,” Forshaw said. “I couldn’t say for certain no one had ever used it before. I did my due diligence on my technique to see whether it had been published or used in anger before. I couldn’t find anything.”

While winning more than $100,000 this week may keep the accountants at Context smiling, Forshaw also took satisfaction in knowing he was on a similar track as a Microsoft engineer intimate with Windows code.

“There are quite clever people at Microsoft actively looking at these things. Beating them is quite a challenge,” Forshaw said, adding he much prefers these types of defensive-oriented competitions. “I think it’s certainly an interesting approach to take, focusing more on the defensive than offensive side. Only Microsoft is in position to do that; Google might be able to as well with the Chrome OS. Microsoft is wise to choose this approach versus an all-out free-for-all to find bugs.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.